cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1789
Views
15
Helpful
15
Replies

Wlc 5508 unreachable for ap 3702 behind fw

adeebtaqui
Level 4
Level 4

I am trying to join ap 3702 connected to cisco ie500 switches that are in OT zone behind NG fw 2110 to wlc 5508 which is connected core switch 3850 which is outside the ot zone .

But the AP AS CLI  is not able to REACH WLC and not getting ip from wlc's internal dhcp server.

15 Replies 15

balaji.bandi
Hall of Fame
Hall of Fame

You need open the FW for the below ports as per the cisco recommendation.

 

AP to join the WLC is UDP 5246 and UDP 5247

 

If you need more option like telnet, http, ssh, https for AP, please open that port for management.

 

BB

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leo Laohoo
Hall of Fame
Hall of Fame

@adeebtaqui wrote:

But the AP AS CLI  is not able to REACH WLC and not getting ip from wlc's internal dhcp server.


This is not going to work.

AP's IP address can only be pushed out using DHCP Option 43.

Maybe you need to configre an IP helper on the FW pointing to the WLC mgmt interface to forward the DHCP request from the AP to the WLC.

Regards,
AJF

Don't forget to rate helpful posts!

How to configure ip helper on fw? Fw is ngfw fpr2110 managed by fmc1000

Take a look at the following link: 

https://cisco.com/c/en/us/support/docs/security/firepower-ngfw/200475-Configure-DHCP-Server-Relay-on-FTD-Using.html

 

 

Regards,
AJF

Don't forget to rate helpful posts!

Why didn’t you just stage the AP?  You should of connected it local first to join the controller, then you wouldn’t have to deal with ip helper, etc. you could have someone console into the AP and set the controller ip. 

-Scott
*** Please rate helpful posts ***

How to do this in 3702 as its capwap?

From console connection to the AP:

 

ap#capwap ap controller ip 10.10.10.10 (WLC IP)

 

OR

 

ap#capwap ap primary-base WLCNAME 10.10.10.10 (WLC IP)

Console into the AP and reboot. I want to see what the AP is doing.

Copy in progress...CC
Uncompressing radio files...
...done Initializing flashfs.

Radio0 present 8764 8000 0 A8000000 A8010000 0
Rate table has 650 entries (20 legacy/224 11n/406 11ac)

POWER TABLE FILENAME = ram:/R2.bin

Radio1 present 8864 8000 0 80000000 80100000 4
POWER TABLE FILENAME = ram:/R5.bin

Radio2 not present 0 0 0 0 0 8
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-CAP3702E-E-K9 (PowerPC) processor (revision A0) with 376814K/134656K bytes of memory.
Processor board ID FCZ2024L027
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 8.0.135.0
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:62:EC:20:5B:D8
Part Number : 73-15397-01
PCA Assembly Number : 000-00000-00
PCA Revision Number :
PCB Serial Number : FOC20164VZT
Top Assembly Part Number : 068-05055-07
Top Assembly Serial Number : FCZ2024L027
Top Revision Number : A0
Product/Model Number : AIR-CAP3702E-E-K9
% Please define a domain-name first.


Press RETURN to get started!


*Mar 1 00:00:16.711: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed (15)
*Mar 1 00:00:17.167: Registering HW DTLS

*Mar 1 00:00:17.175: APAVC: Initial WLAN Buffers Given to System is 2500

*Mar 1 00:00:17.227: APAVC: WlanPAKs 42878 RadioPaks 42270

*Mar 1 00:00:19.543: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:23.499: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 (4)
*Mar 1 00:00:23.615: loading Power Tables from ram:/R2.bin. Class = E
*Mar 1 00:00:23.615: record size of 3ss: 1168 read_ptr: 52FE74E

*Mar 1 00:00:28.651: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1 (4)
*Mar 1 00:00:28.699: loading Power Tables from ram:/R5.bin. Class = E
*Mar 1 00:00:28.699: record size of vht: 2904 read_ptr: 52FE74E

*Mar 1 00:00:28.855: Wait until the stile protocol list is initialized.

*Mar 1 00:00:30.095: Start STILE Activation

*Mar 1 00:00:32.007: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Mar 1 00:00:32.883: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JA9, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Fri 27-May-16 02:08 by prod_rel_team
*Mar 1 00:00:32.883: %SNMP-5-COLDSTART: SNMP agent on host AP0062.ec20.5bd8 is undergoing a cold start
*Mar 1 00:00:33.995: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar 1 00:00:35.219: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to uplwapp_crypto_init: MIC Present and Parsed Successfully

*Mar 1 00:00:35.375: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Mar 1 00:00:35.375: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:00:36.219: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:00:36.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Mar 1 00:00:45.063: %LINK-6-UPDOWN: Interface BVI1, changed state to down
*Mar 1 00:00:46.211: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to down
*Mar 1 00:00:47.887: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed (2-16)
*Mar 1 00:00:47.887: DPAA Initialization Complete
*Mar 1 00:00:47.887: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited
*Mar 1 00:00:48.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:50.891: %LINK-6-UPDOWN: Interface BVI1, changed state to up
*Mar 1 00:00:51.323: Currently running a Release Image

*Mar 1 00:00:51.743: Using SHA-2 signed certificate for image signing validation.
*Mar 1 00:00:52.035: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar 1 00:00:58.211: APAVC: Succeeded to activate all the STILE protocols.

*Mar 1 00:00:58.211: APAVC: Registering with CFT

*Mar 1 00:00:58.211: APAVC: CFT registration of delete callback succeeded

*Mar 1 00:00:58.211: APAVC: Reattaching Original Buffer pool for system use

*Mar 1 00:00:58.211: Pool-ReAtach: paks 42878 radio42270
%Default route without gateway, if not a point-to-point interface, may impact performance
*Mar 1 00:01:05.623: AP image integrity check PASSED

*Mar 1 00:01:05.723: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:01:05.723: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 1 00:01:15.731: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 0 CLI Request Triggered
*Mar 1 00:01:16.731: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 514 started - CLI initiated
*Mar 1 00:01:18.939: %CDP_PD-4-POWER_OK: 15.4 W power - NEGOTIATED inline power source
*Mar 1 00:01:20.051: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:01:21.051: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:01:21.319: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:01:22.319: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Mar 1 00:02:08.323: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar 1 00:02:08.327: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Mar 1 00:02:08.335: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:02:09.327: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:02:09.371: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:02:09.379: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Mar 1 00:02:09.387: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 1 00:02:10.371: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:02:10.379: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Mar 1 00:02:10.455: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:02:11.455: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
Not in Bound state.
*Mar 1 00:02:15.739: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.
Not in Bound state.
*Mar 1 00:03:05.743: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP

Looks like option 43 is not in place with the corresponding VCI (vendor class identifier) in the DHCP = Cisco AP c3700

Is below configuration on Aggregation switch fine for option 43:

ip dhcp pool vlan84

network 10.10.84.0 255.255.255.0

default-router 10.10.84.254  ///default gateway of vlan84 on Agg switch

domain-name ----.com

option 60 ascii "Cisco AP c3700

 

This aggregation switch is connected to fw from inside and provided as gateway for inside zone switches and users of OT. Its connected to internal interface of FW. FW's outside interface is connected to core switch which gives connection to WLC 5508 whose management ip is 10.10.7.1

 

Also shall I be statically configure on AP 3702

 

ap#capwap ap primary-base WLCNAME 10.10.7.1

 

is this static config enough or should i add DHCP 43 also?  For other wlans on wlc for users outside fw, i have used WLC internal dhcp server


@adeebtaqui wrote:

Is below configuration on Aggregation switch fine for option 43:

ip dhcp pool vlan84

network 10.10.84.0 255.255.255.0

default-router 10.10.84.254  ///default gateway of vlan84 on Agg switch

domain-name ----.com

option 60 ascii "Cisco AP c3700

 

This aggregation switch is connected to fw from inside and provided as gateway for inside zone switches and users of OT. Its connected to internal interface of FW. FW's outside interface is connected to core switch which gives connection to WLC 5508 whose management ip is 10.10.7.1

 

Also shall I be statically configure on AP 3702

 

ap#capwap ap primary-base WLCNAME 10.10.7.1

 

is this static config enough or should i add DHCP 43 also?  For other wlans on wlc for users outside fw, i have used WLC internal dhcp server


The DHCP pool only has DHCP Option 60.  DHCP Option 43 allows the AP to know the WLC details.  

Based on my understanding Option 60 is ONLY for the VCI and it does not provide the WLC IP. That's why you need Option 43 or configure manually the WLC IP on the AP as indicated before.

Review Cisco Networking for a $25 gift card